VMware ThinApp Isolation Modes Explanation, Examples, & Video

ThinApp Isolation Modes is one of the really nice settings that not many has explored. Most people who has built a ThinApp Package using the easy VMware ThinApp GUI will really not need to worry about changing the VMware ThinApp Isolation Mode in the Package.ini as the ThinApp packager GUI ask you if you want to allow the thinapped application to write to folders and files out on the physical file system the ThinApp application run on or not allow it to. What is happening in the background is that the GUI is just changing the Isolation mode in the background.

Before going into Isolation Modes, its worth mentioning this post is a part of a larger VMware ThinApp series I am creating & below are the links to other VMware ThinApp posts in this series in case you were looking for one of these or interested to read about it as well.

Back to VMware ThinApp Isolation Modes. OK, so if I am saying the default option is normally more than enough and we already know how to use that what is the point of this post. This post is to show the extra modes & usage cases for them. Few days back one of my friends (Customer at the same time) had a tough requirements of his management for a ThinApped application. He is presenting an application through ThinApp to many users in his organization, where this application was originally written where a user can actually export the report to a file as well import data. Originally the way the application worked was not a problem for him, as the type of employee who had accessed to the application was highly restricted and they needed to be able to import and export files. Now the bank my friend work for wanted to start offering the same application to other type of users, but they want to ensure that they only can display the data, but can not import or export it from the system and they wanted to avoid having to rewrite the application or have to develop a second versions without the import and export feature. The solution was easy. All he had to do is just ThinApp the application with Full Isolation Mode which will not allow the ThinApped Application to read or write to files/registery on the physical system. I don’t see these cases everyday, but I see them often in banks and other firms with higher security concerns. So below is a quick simplified explanation of the VMware ThinAPP Isolation Modes:

– Merged: Allow both read and write to files & registery on the host system. (A good mode if your application need to write to files or registery on the system EX: Microsoft Office)

– WriteCopy: Allow only read of files & registery of the physical system, but not write to it. The write will be done to files in the sandbox of the application, where these files only exist when you run the application (A good mode for applications which only need to read host system files/registery, but not write to them.)

– Full: It means its fully isolated where it can not write or read to files & registery on the host system, but it will only read and write to virtual files that only exist in the sandbox of the application itself and only accessible through the application when you run it (Just like our friend application for the bank discussed above).

Further, the two modes you choose from in the ThinApp Capture GUI are as follow:

– Modified Merged isolation mode

The default file system isolation mode in the Setup Capture wizard is Full write access, or modified Merged.

The modified Merged isolation mode in the Setup Capture wizard allows users to write to any directory except for specified system directories. This is recommended for applications that you trust.

Almost every directory is writable, except for:

%AppData%

%Local AppData%

%Common AppData%

%SystemRoot%

%SystemSystem% (*see note below)

%ProgramFilesDir%

%Program Files Common%

* %SystemSystem%\spool remains as writable, so Setup Capture creates an exception file to preserve Merged mode in this subdirectory of %SystemSystem%.

Writes to these directories go to the Sandbox instead.

– Modified WriteCopy isolation mode

The Restricted write access, or modified WriteCopy, isolation mode in the Setup Capture wizard prevents users from writing to any directory on the physical system except for a few specified user directories. Modified WriteCopy is recommended for applications you do not trust, or for legacy applications that you will deploy to more recent operating system versions. It is also recommended for virtual applications running in locked-down PC environments.

The only directories that are writable on the physical system with modified WriteCopy isolation mode are:

%Desktop%

%Personal% (My Documents)

%SystemSystem%\spool

All other writes go to the Sandbox.

OK, so if you want one of the modified modes then you can do that through the GUI but if you need one of the other ThinAPP Isolation Modes then you will need to change it directly in the Package.ini file. An example of the Syntax is below:

[Isolation]

DirectoryIsolationMode=Merged

RegistryIsolationMode=Merged

OK, that is of what I wanted to say about VMware ThinApp Isolation Modes. Happy ThinApping and watch the great below video that explain VMware ThinApp Isolation with nice examples.

About The Author

Eiad Al-Aqqad is a Consulting Architect within VMware Professional Services Software Defined Data Center practice. He is VMware Certified Design Expert (VCDX#89). He helps VMware Enterprise customers with their Datacenter transformation efforts being Virtualization, Cloud Computing, Software Defined Datacenter, Infrastructure As A Service, or IT As a Service. I have developed strategic designs for few of the most complex environments around where I got to execute on these designs or help the customer execute upon it.